All Products
Search
Document Center

Elastic Container Instance:Grant permissions to a RAM user

Last Updated:Apr 01, 2026

RAM users created under an Alibaba Cloud account have no permissions by default. To let a RAM user manage Elastic Container Instance (ECI) resources, attach a permission policy to the user.

Prerequisites

Before you begin, ensure that you have:

Available policies

Two system policies cover ECI resources. Use the table below to choose the right one.

PolicyAccess levelIncluded permissions
AliyunECIReadOnlyAccessRead-onlyeci:Describe*, eci:List* — query ECI resources
ecs:DescribeSecurityGroups — query security groups
vpc:DescribeVSwitches — query vSwitches
vpc:DescribeVpcs — query virtual private clouds (VPCs)


AliyunECIFullAccessFull managementeci:* — all ECI operations
ecs:DescribeSecurityGroups — query security groups
vpc:DescribeVSwitches — query vSwitches
vpc:DescribeVpcs — query VPCs
vpc:DescribeEipAddresses — query Elastic IP Addresses (EIPs)



If the RAM user needs to work in the ECI console, attach AliyunECIFullAccess plus a custom policy that grants the following additional permissions:

ActionPurpose
ram:ListRolesQuery RAM roles of instances
nas:DescribeFileSystemsQuery NAS (network-attached storage) file systems
oss:ListBucketsQuery Object Storage Service (OSS) buckets
vpc:DescribeCommonBandwidthPackagesQuery EIP bandwidth plans
cr:GetRepoList, cr:GetRepoTags, cr:GetImageManifest, cr:SearchRepoQuery and search image repositories

Grant permissions

Step 1: Create the custom policy (console access only)

Skip this step if the RAM user only needs API access.

  1. Log on to the RAM console with your Alibaba Cloud account.

  2. In the left navigation pane, choose Permissions > Policies.

  3. Click Create Policy.

  4. Click the JSON tab, paste the following policy, and click OK.

    {
        "Statement": [
            {
                "Action": "ram:ListRoles",
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Action": "nas:DescribeFileSystems",
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Action": "oss:ListBuckets",
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Action": "vpc:DescribeCommonBandwidthPackages",
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Action": [
                    "cr:GetRepoList",
                    "cr:GetRepoTags",
                    "cr:GetImageManifest",
                    "cr:SearchRepo"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }
        ],
        "Version": "1"
    }
  5. Enter a name in the Name field and click OK.

Step 2: Attach policies to the RAM user

  1. In the left navigation pane, choose Identities > Users.

  2. Find the RAM user and click Add Permissions in the Actions column.

  3. Configure the following parameters.

    ParameterDescription
    Resource ScopeAccount: permissions apply to the current Alibaba Cloud account.
    ResourceGroup: permissions apply to a specific resource group.
    PrincipalThe RAM user to grant permissions to. Pre-populated based on your selection; you can change it.
    PolicySelect based on the access level needed:
    - View ECI resources only → AliyunECIReadOnlyAccess
    - Manage ECI resources via API → AliyunECIFullAccess
    - Manage ECI resources via the ECI console → AliyunECIFullAccess + the custom policy from Step 1


  4. Click Grant permissions and follow the on-screen instructions.

What's next

To manage ECI permissions at a finer granularity, use resource groups or labels to control what individual RAM users can access: